diff options
Diffstat (limited to 'includes/api')
| -rw-r--r-- | includes/api/ApiFormatBase.php | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php index 192c51a7..782a4161 100644 --- a/includes/api/ApiFormatBase.php +++ b/includes/api/ApiFormatBase.php @@ -145,8 +145,11 @@ for more information. * This method also replaces any '<' with < */ protected function formatHTML($text) { - // encode all tags as safe blue strings - $text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;"><\1></span>', $text); + // Escape everything first for full coverage + $text = htmlspecialchars($text); + + // encode all comments or tags as safe blue strings + $text = preg_replace('/\<(!--.*?--|.*?)\>/', '<span style="color:blue;"><\1></span>', $text); // identify URLs $protos = "http|https|ftp|gopher"; $text = ereg_replace("($protos)://[^ '\"()<\n]+", '<a href="\\0">\\0</a>', $text); |